Is WordPress Secure?

Yes. The core WordPress software - the software that powers over 30% of all the websites on the Internet - is secure.

If you installed a fresh copy of the core WordPress software at a secure host, kept it updated, and used secure account credentials, it's unlikely that your site would ever experience issues.

While there are occasional vulnerabilities that get discovered, the WordPress Security Team usually gets them patched right away.

Here's what's not guaranteed to be secure, though:

Extensions and human behavior.

Yup - as I'll show you in a second, your WordPress site is most likely to get hacked as a result of the extensions that you install or the human errors that you make (the goal of this post is that you don't make those errors).

How WordPress Sites Get Hacked: Based On Data

Because WordPress is so popular, we don't have to guess how WordPress sites get hacked. Companies like Sucuri and Wordfence have done awesome research on this exact subject.

Let's start with the core software. Of the hacked WordPress sites that Sucuri looked at, 61% of them were running out-of-date software when they got infected:

A second ago I told you that WordPress was secure...but that's only if you keep it updated.

For example, in February 2017 there was REST API vulnerability in the WordPress core that led to hundreds of thousands of sites getting defaced. But weeks before the vulnerability started being actively exploited, the core team had already released an update that fixed it.

All these sites were defaced simply because they didn't update.

Let's go a little deeper, though. There are other reasons that your site might get hacked.

Wordfence surveyed 1,032 hacked site owners and, of the owners who knew how their site got hacked (which wasn't the majority), here are the reasons:

All of that data adds up to three of my five big rules for WordPress security:

Most hacked sites aren't running the latest WordPress version

Poor quality plugins or themes are a big attack vector

Not properly securing your login is another big security hole

And those rules lead me to my next point...

WordPress Security Is A Philosophy, Not A Plugin

While there are some great security plugins that I'll discuss, there's no 100% "set it and forget" solution for making your WordPress site secure.

No, I don't mean that you need to sit there and slave away every day manually running malware scans on your site.

I just mean that security is a philosophy that you need to adopt. Security is saying, "hey, maybe I should read this plugin's reviews before I install it and see if it has any known vulnerabilities". Or, "hey, there's a new WordPress security update out today. Let me go apply it right now on all my sites."

The 5 Biggest Things You Can Do Right Now To Secure Your WordPress Site

There are all kinds of smaller tweaks that you can make to harden your site that I'll discuss in the next section. They're all worthwhile, but I know that not everyone has time to go through ~20 different security items and make every single tweak.

So if you only do five things, I think these are what you should do at a minimum.

1. A.B.U. (Always Be Updating)

Updates are one of those things that most people know are important...but most people also quickly forget about.

Don't be like most people.

WordPress has put in so many features to make updates easy. In fact, nowadays all you need to do is click a button and WordPress does everything for you.

If you're not sure how it works, you just look for the red icons (this is a test localhost site - that's why I have so many update notifications!):

Then, you can go to Dashboard → Updates and run all your updates at once:

A FEW NOTES ON UPDATES:

If you hold off on updates because you're worried they might break your site...stop doing that. Instead, pick a host with a staging site feature so that you can quickly test on your staging site and then push the update live once you know it won't break anything.

If you can't check your WordPress dashboard that often, you can use the WP Updates Notifier plugin to get email notifications when there's a new plugin or theme update.

You can use the Easy Updates Manager to automatically apply updates as they become available. I don't personally recommend doing this because it can be dangerous if there are any compatibility issues with an update and you're not around to catch them, but some people do like this method.

2. Follow Good Plugin And Theme Best Practices

The great thing about using WordPress is how easy it is to extend your site with themes and plugins.

The bad thing about WordPress security is how easy it is to extend your site with themes and plugins.

That is, because it's become so easy to install new themes and plugins, most people do it without thinking.

But as I showed you above, plugin and theme vulnerabilities are a huge attack vector.

I'm not trying to stop you from installing new extensions, you just need to be discerning about which extensions you actually install:

Use trusted sources. While this won't solve all problems, if you stick to extensions at WordPress.org or trusted third-party developers/marketplaces, you're going to eliminate most issues.

Don't use nulled plugins. Yeah, I know you're on a budget...but it's not worth it to install the nulled plugin that might have malicious code added. Just find a free alternative if you can't afford it.

Check for known vulnerabilities. WPVulnDB does a good job of collecting these. Note that most of these vulnerabilities get fixed - so check whether or not the developer has addressed it before you write the plugin off.

Read the reviews. Reviews are a great spot to see if any existing users have experienced any security issues.

Read the support forums, too. Support forums can also help you spot issues. Better yet, they also let you see how responsive the developer is to issues, which is another helpful piece of information.

Delete unused plugins/themes. Even if you disable a plugin or theme, its code is still sitting on your server, which means it can be exploited.

3. Pick Secure WordPress Hosting

The right WordPress host can go a long way towards ensuring the security of your site.

There are two parts to this:

First, if you're on shared hosting, you want a host that isolates your sites from other sites on that server. This ensures that your site doesn't get cross-contaminated just because someone else's site on your shared server got hacked.

You can get isolation even on cheap hosting, so this isn't something that's unique to premium hosts.

To figure out if your host offers isolation, you can:

Ask the pre-sales support staff

Look at the feature list (many hosts that offer isolation are proud to say it)

The other way that hosting can protect you is via proactive measures.

A quality managed WordPress host will:

Properly configure your server to prevent many types of exploits

Set up WordPress-specific firewalls at the server level

Run malware scans and ensure file integrity

Kinsta's Security page has a good explanation of the various ways in which a host can protect you from issues.

While you can get some of these same features via WordPress plugins, having your host implement them at the server level is a better approach for both performance and security.

4. Secure Your Login Page And User Credentials

In that Wordfence survey of hacked website owners, 20% of the sites got hacked simply because the hacker somehow got ahold of a valid username and password combo.

To stop that from happening, you have a bunch of tools and tricks at your disposal:

Use Strong Passwords (Required)

Did you know that the most popular password is "123456"? If that's you...well, hopefully you change your ways after reading this post.

Simple passwords are easy to guess via a brute force attack, which accounted for ~15% of the hacked sites in Wordfence's survey.

The solution is pretty simple - always use a strong password.

To do that, you can just use WordPress' password generator:

Then, because that password is impossible to actually remember (that's kind of the point!), you can use a tool like LastPass to securely store all the passwords for your different sites (LastPass also includes a great password generator, itself).

Don't Use Admin As Your Username (Required)

Since WordPress has stopped forcingadmin as the default username, this one is less of an issue.

But plenty of users still choose to use admin as their username, despite the fact that it makes them vulnerable to brute force attacks (if you use "admin" and "123456" at the same time, you should probably run a malware scan on your site right away!).

This one is easy to fix - just pick a unique username when you create a site.

If you're already using admin as your username on an existing site, you can:

Manually create a new Administrator account and then delete the admin username

Use HTTPS On Your Site (Required)

Moving WordPress to HTTPS has all kinds of other benefits - but one great thing that it does is secure your login page.

Without HTTPS, your login credentials aren't encrypted (which means that a malicious actor can steal them if you're, say, working over public WIFI). With HTTPS, though, those credentials are always encrypted.

Limit Login Attempts (Should Do)

Brute force attacks work by repeatedly guessing different combinations of usernames and passwords.

Using a strong username/password combo makes that much harder. But to make things even more difficult, you can limit the number of login attempts at your site with the Loginizer plugin.

With the plugin, anyone who enters incorrect login details too many times will be locked out for a period of time (that you can customize).

Move Your Login Page (Good Idea)

I don't really think this makes your site any more secure if you're following the above tips. But it is still a good idea because it can greatly reduce the botnet traffic to your site, which lessens the load on your site's server.

So...not as big a security necessity as some people make it out to be, but still a good idea for other reasons. It's also super easy to do with the WPS Hide Login plugin (many security plugins can do this as well).

2-Factor Authentication (Not Necessary For All Sites)

I don't think this one is a necessity for most sites. But if you're really concerned about people getting unauthorized access to your site, 2-factor authentication kicks things up a notch by requiring users to enter a one-time code in addition to their password (lots of banks use this technology).

I know that this section is pretty short in comparison to the others. But that's because it's simple:

Keep a working backup of your site and any security issues will be a lot less catastrophic.

6. Bonus: Consider A Security Plugin

I know that I said five things...but I'm chucking this one in as a bonus.

Let me be honest - I don't use a security plugin on my own sites. A big part of the reason is that my host has implemented many of the most important security tweaks at the server level.

But security plugins definitely exist for a reason - they can perform a good number of the hardening tips that I've discussed above (and the tips that I will discuss in the next section). Especially if your host isn't already doing these things for you.

So here's the deal:

Security plugins can definitely be helpful. But they're not an absolute necessity if you follow all the other best practices and choose a proactive host. Nor are they a cure-all - you still need to keep the security philosophy I outlined above in mind if you want to keep your site secure.

If you want to try a security plugin on your site, two good options are:

For example, if you hire a new content writer, make sure you only give them the Author user role. They definitely don't need the ability to install plugins, nor do they need the ability to edit Pages (the latter is something the Editor role allows).

Similarly, you should pretty much never give someone else an account with Administrator privileges unless you 100% trust them and they truly need that much power.

Another great thing about Cloudflare is that it can help you defend against a DDoS attack. While a DDoS attack isn't actually "hacking" your site, it's still debilitating and hard to stop without help from a service like Cloudflare.​

9. Disallow File Editing

By default, users with the Administrator role can edit plugin and theme code directly from the WordPress dashboard:

This means that an unauthorized user who gets your account credentials (which should be a lot more difficult now!) can inject their own code into your site.

If you don't use this feature anyway, I recommend disabling it to prevent that from happening.

To do that, you just need to add this code snippet to your site's wp-config.php file:

## Disable Editing in Dashboard

define('DISALLOW_FILE_EDIT', true);

Speaking of wp-config.php...

10. Restrict Access To wp-config.php File

Some people tell you to move your wp-config.php file. But after reading this lengthy Stack Exchange thread, I think the situation isn't quite as simple as many make it out to be...

In the end, it seems like there are some benefits that apply to rare situations where your server is misconfigured. But the common way people tell you to move it (just move it one directory up) can actually open up new vulnerabilities.

You can read that thread and decide for yourself. But my personal recommendation is to follow the official WordPress Codex, which just recommends restricting access to it by adding this code snippet to your .htaccess file:

​This might break some themes that do require PHP execution in the uploads folder. If that happens - no worries. Just go back and remove the code snippet that you just added and your site should start working fine.

12. Block Directory Browsing

Directory browsing allows someone to view the contents of a folder on your server when there's no index file present. That's not good from a security perspective.

14. Set Proper File Directory Permissions

File permissions control what various entities can do with the files on your server. If you make them too permissive, they're a security risk. But if you make them too restrictive, your site won't be able to function properly.

You can edit file permissions by using your FTP program of choice:

The permissions for WordPress should be:

Folders - 755

Files - 644

At most hosts, these should be the default permissions and you don't need to do anything manually.

So while you can make sure that things are set up right, I think the really important takeaway is this:

If you ever need to manually create a folder or file via FTP, never give it 777 permissions. Stick with the permissions outlined above.

Enjoy A More Secure WordPress Site

If you made it this far - congrats! I know I hit you with a ton of different settings and tweaks.

The good thing is that most of these WordPress security tips are one-time things.

Implement the many hardening principles that I discussed. Then, maintain your security philosophy when it comes to performing timely updates, taking regular backups, and choosing only quality plugins and themes.

If you do that, your WordPress site should stay safe and secure. And that means you can focus on making more money instead of freaking out about a malware warning from Google!

What a great and informative article. I use Wordfence plus IQ Block Country to deny access to all countries, except my own, to the backend of my site. This article has given me a lot more to think about – thank you!

Awesome, Colin. This is really a valuable article on WordPress security system. If anyone follow these steps, he/she can secured his/her website easily. I use WordPress since 2009, and from my experience, I know, its really a nice article in this section. Thank you.

You have covered this topic in a great way. Actually, I don’t know about this much of WordPress security things and I have just installed a Sucuri plugin only. Restrict Access To wp-config.php File, Block Execution In Uploads Folder, Disable XML-RPC etc are new things for me.

Here I want to ask you that on my blog got many login attempts so is there any way to stop this?

Hi Colin, Thanks for sharing this detailed guide on WordPress Security I will apply these tips on my sites to increase the security of my site. But I don’t think anyone can hack my WP site even without apply these tips.

Wow! Am indeed impressed Colin !. I never read a post on this topic before that is as detailed and indepth as this one. Thank for sharing your tip #8 which is about Cloudflare. I never Know Cloudflare Is a security tool, I will definitely go for it. Much appreciated.